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[57] ABSTRACT 

A stealth interface for an intelligent front-^d communica- 
tion system couples a plurality of actively redundant process 
control computers to a computer netwodL The stealth inter- 
nee in eac^ of the actively redundant process control 
computers includes a multi-ported memoiy for storing 
dynamic data associated with the physical process and for 
transferring this data to a front end computer which is in 
I communicatioii with the computer network. The multi- 
I ported memory also includes a mailbox section for storing 
messages sent between the font end computer and its 
actively redundant process control computet: The stealth 
; interface also includes a guardian circuit which ultimately 
1 controls the ability of the front end computer to write 
^ information to specific memoiy locations in the multi-ported 

^ data memory. 
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STEALTH INTERFACE FOR PROCESS 
CONTROL COMPUTERS 

Hiis is a continuation of U.S. patent application Sen No. 
07/897.905. filed Jun. 12, 1992, now abandoned. 5 

BACKGROUND OF THE INVENTION 

The present invention generally relates to "front-end" 
communication techniques between process control com- 
puters and a plant/local area network. More specifically, the 
present invention relates to a "stealth" interface for a firont- 
end communication system which is capable of transpar- 
ently hflnriling rapid data transfers to and from a process 
control computer with very high reliability and security. 

In chemical manufacturing plants and other relatively 
large processing plants, a netwodc of control computers and 
operator workstations may be needed to achieve automated 
control of an ongoing physical process in the plant For ^ 
example, the Jones et al U.S. PaL No. 4.663.704. issued on 
May 5, 1987. shows a distribated processing system for a 
plant in which a single data highway connects all the various 
input/output terminals, data acquisition starions. control 
devices, record keeping devices and so forth. Similariy. the ^ 
Henzel U.S. Pat. No. 4.607.256. issued on Aug. 19. 1986. 
shows a plant management system which utilizes a plant 
control bus for the purpose of transmitting data to physical 
computer modules on the network. 

In some of these process control computer networks, 30 
redundant process control computers are employed to 
enhance the reliability of the plant control and monitoring 
system. For example, the Fiebig ct al U.S. Pat No. 5,008, 
805. issued on Apr. 16, 1991. shows a networked control 
system which includes a "hot standby** redundant processor 33 
that synchronously processes a control schedule table for 
comparison with control messages firom a sender processor 
that are transmitted oa the network. The redundant listener 
processor maintains a duplicate configuration in its memory 
ready to take over control of the system in the event of a 40 
failure of the sender processor. As another example, the 
McLaughlin et al U.S. Pat No. 4,958,270, issued on Sep. 
18, 1990, shows a networked control system which envoys 
a primary controller and a secondary controlleL In order to 
matfifain consistcncy between the primary data base and a 45 
secondary image of the data base, only predetenniiKd areas 
changed are updated as a way of incxeaaiQg the efifidency of 
the update function. Similarly, the Slater U.S. Pat No. 
4.872,106. issued (m Oct 3, 1989, shows a networked 
control system which employs a primary data processor and ^ 
a back-up data processor. Nomially. the back-up processor 
will be in a back-up mode of operation, and it wiU not 
operate to exercise control over the input/output devices or 
receive data concerning the states of the input/output 
devices. Accordingly, control over the input/output devices 55 
is exclusively carried out by the primary processor. How- 
ever, the primary processor periodically transfers status data 
relating to its operation in the control of the input/output 
devices to the back-up data processor via a dual ported 
memory connected between the two processors. ^ 

In contrast with the above networked control systems, 
another control technique for redundant process control 
computers exists in which both of the process control 
computers operate on input data and issue control com- 
mands to the same ou^iut devices. Hus type of control 65 
technique may be referred to as active redundancy, because 
each of the lednndant process control computers operate 
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independently and concurrently on common input data. A 
discussion of this type of control techniqxic may be found in 
the Glaser et al U.S. patent application Ser. No. 07/864,931, 
filed oa Mat 31, 1991, entitled '^Process Control Interface 
System Having Triply Redundant Remote Field Units" now 
U.S. PaL No, 5,428,769. This application is herdiy incor- 
porated by reference. 

The use of acdve redundancy as a control tedmique 
presents a difi&cult problem in terms of connumication with 
the plant computer networic, as each actively redundant 
process control computer will receive a set of mput values 
and each of these process control computers will generate a 
set of output values. In the case where the acdvely redundant 
process control computers arbitrate or resolve some or all of 
the input and/or output values, to the extent that differences 
do exist, then muldple sets of input and output values could 
.be created For example, a set of pre-arlritration aid post-. . 
arbitration input data values could potentially be available 
from each of the actively redundant process control com- 
puters. Accordingly, it would be desirable to enable some or 
all of these data sets to be matched up and analyzed by 
another computer on the plant network without interfering 
with or slowing down the operation of the actively redun- 
dant process control computers. 

Additionally. It would be desirable to permit (sie or nooie 
of the corrq>uters on the plant network to modify certain 
vahiesusedby the program in each of the acdvely redundant 
process computers as the need may arise, such as analog 
constants. However, it should be appreciated tiiat such an 
activity would need to be restricted ui some maimer, as 
predictable changes in the operation of physical devices 
should be assured. 

Accordingly, it is a principal objective of the present 
invention to provide a stealth interface for a front-end 
communicaticHi system which enables rapid and highly 
reliable data transfers between an actively redundant process 
control computer and a plant/local area network. 

It is another objective of the present invention to provide 
a stealth interface for a front-end communication system 
which enables data transfers in a manner that is non- 
intmsive to the operation of the actively redundant process 
control computer. 

It is also an objecdve of the present invention to provide 
a stealth imerface for a fDmit-end communication system 
which enables messages to be transfeiied to the actively 
redundant process control computers in a non-intrusive 
mamttT to the Operation of the actively redmidant process 
control con^juter. 

It is a further objective of the present invention to provide 
a stealth interface which enables the actively redundam 
process control computer to ultixnaiely control write opera- 
tions by external entities to memory locations in the actively 
redundant process control computer. 

It is an additional objective of the present invention to 
provide a stealth interface whidi is capable of handling data 
transfers with a plurality of external communication devices. 

SUMMARY OF THE INVENTION 

To achieve the foregoing objectives, the present invention 
provides a *'stealth" interface for a firont-cnd conununication 
system which is interposed between a plurality of actively 
redundant process control computeis and a computer net- 
work. A separate stealdi intet£Bce resides in each of the 
actively redundant process control computers, and each of 
these stealth inter&ces communicate with a front end com- 
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puter which is coupled to the computer network. Each 
stealth interface features a multi-poited memory for storing 
dynamic data associated with the physical process, and for 
transferring soioe or all of this data to the computer network. 
In this regard, the stealth interface derives its name from its 
ability to transfer data from the multi-poned memory in a 
way which is transparent to its actively redundant process 
control computer. In one forai of the present invention, the 
front end computer is permitted read access to all of the 
memoiy locations in the multi-ported memory. 

The multi-ported memory of the stealth interface also 
includes a mailbox secdon which is used to store messages 
from the front end computer to the actively redundant 
process control computer. However, in order to more com- 
pletely control this write access capability by the front end 
computo; the stealth interface fiortiier includes a guardian 
dicuit which prevents the front end computer from writing 
' to aiiy memory locattiim in the multi-poned memoxy other 
than the mailbox section. Accordingly, while the front end 
computer may be permitted read access to the entiie contents 
of the multi-ported mraiory, the actively redundant process 
control computer will ultimately detennine the write access 
for the front end computer. The mailbox section of the 
multi-ported memory will also enable the front end com- 
puter to transfer new computer program insunctions to the ^ 
actively redundant process control computer in a download 
mode. 

In one form of the present invention, the multi-ported 
memory m each of the actively redundant process control 
computers also includes an arbitration technique for permit- 
ting the multi-ported memory to be accessed by a plurality 
of different communication devices. Thus, the dynamic data 
and/or other variable data stored in the multi-ported memory 
may be made accessible to other external eiitities without 
interfering in any way with the operation of the actively 
redimdant process control conQ.putm 

Additional feamies and advantages of the present inven- 
tion will become more fully apparent from a reading of the 
detailed description of the preferred embodiment and the 
accompanying drawings in which: 

BRIEF DE5CRIP110N OF THE DRAWINGS 

FIO. 1 is a blodc diagram of an intelligent front-end 
communication system fr>r a phuality of actively redundant 
process control computera whidi utilizes a stealth intetf ace 
according to the present invention. 

FIOS. 2A and 2B provide a diagrammatic representation 
of the data tables stared in a time aligned reflective memory 
buffer and the Correlate buffer shown in FIG. 1. 

FIG. 3 is a block diagram of the stealth interface shown 
in FIG. 1. 

FIGS. 4A and 4B comprise a schematic diagram of the 
stealth intexface of FIGS. 1 and 3. 

FIGS. 5A and SB ilhistrate two timing diagrams for the 
stealth interface. 
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Referring to FIG. 1, a block diagram is shown of an 
intelligent front-end communication ^stem 10 which is 
coupled to a pair of actively redundant process control 
computers Ma~17h. Each of the process control computers 65 
\2a-\2b receive common input data from field computer 
units (not shown) or other suitable field instrumentation. In 



this regard, the Glaser et al. U.S. patent ^Hcation Ser. No. 
07/864,931, referenced above, describes in detail the com- 
munication and control links between a pair of acdvdy 
redundant process control computers, such as process con- 
Urol computers V2a-V2b, and the input/output devices 
dicecdy associated with the physical process being con- 
trolled 

While the redundancy of two actively operating process 
control computers has certain fault tolerance advantages 
over a single decision making process control computer, it 
should be understood that fiie principles of the present 
invention are not limited to any particular configuration of 
process control computers. Thus, for example, it may be 
desirable to employ three process control computers in the 
place of the two process control computers lla-Alh shown 
in FIG. 1 under the appropriate cimmistances. 

In the present embodiment, the process control computen 
12a-rl2b preferably operate concurrently on.all of the sig- 
nals transmitted from one or more field computer units. In 
other words, each of the process control computers Hor-lTb 
are capable of making independent decisions based upon the 
data received by these redtmdant computers from the field 
The decisions made by the process control computers 
\2a~\7h determine the output signal values which are 
ultimately directed to specific output devices (e.g., valves, 
pump motors and reactor heaters) by the appropriate field 
computer units. While the output signal values are prefer- 
ably reconciled at least to some extent between the two 
actively redundant process control computers Ha-lTb 
before the transmission of these signals to the fidd, it should 
be understood that two iiKlependent sets of output signal 
values could be communicated to the field computer tmits. 
In this regard, the input values received from a field com- 
puter unit could be arbitrated, which should make it unnec- 
essary to reconcile or arbitrate output values. This is because 
both of the process control oonq»uter& Ha-Hb would then 
be working with the same process control program and 
operatfrig on the same set of arbitrated input values. 

As an exarr^)le of a preferred form of possible value 
reconciliation, coxresponding input value tables in each of 
the process control computers Ha-Hb could be con^ared 
during a preset time period, and one of the values could be 
chosen fat each input value signal to be subjected to the 
process control program. This selection of input values 
could be made on a suitable criteria to the process being 
controlled, such as the use of the value determined by the 
Lefr process contml computer 12a when the value deter- 
mined by the Right process control computa Vlb is within 
a certain predetermined percentage limit (e.g., 2.5%). Oth- 
erwise, the distinct input values of both the Left and Right 
process control computers could each be employed when 
these values are fimnd to be outside the predetermined 
percentage limit. Alternatively, the selection of di£ferent 
input/ouQRit values from the Left and Right process control 
computers could be made on the basis of a software imple- 
mented preference. Thus, for example, under certain process 
conditions, it may be considered more appropriate to select 
either the high or low value, regardless of whether the value 
was determined by the Left or Right process control com- 
puter. 

lb facilitate this arbitration or reconciliation process, a 
parallel oonmmnication link 14 is provided between the 
process control computers Ha-llh Parallel communica- 
tion link 14 is referred to as the **major" link, as it permits 
a direct transfer of data and timing signals between the 
process control computers. It should also be noted that the 
Left process control computer 12a is labeled 'fox", while 
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the Right process control computer \2b is labeled "dog". 
These are logical designations for alternative operating 
modes of the process control computers VlorATb. 

While each of the process control computers 12a~Mb 
mate independent decisions, which may be subject to arbi- 5 
tradon, the process control con^iuter currently in the fox 
mode has the ability to force the process control computer in 
the dog mode to move to a subsequent step in a programmed 
sequence in order to keep the cooperative efforts of the two 
process control computers in relative synchronization. Addi- 
tionally, the process control computer in the fox mode will 
transmit a timing signal to the process control computer in 
the dog mode at the beginning of its process control program 
cycle (e.g., a one second period), so that the process control 
computer in the dog mode will know to begin a new process 
control program cycle as well. As the process control 
computers \la-\2b operate under their own dock osciHa- 
- tors, the detection and interpretation of this program cycle 
liming signal by the process control computer in the dog 
mode will help to periodically keep these process control 
computers in relative synchronization. However, it should ^ 
be appreciated that the program cyde of the process control 
computer in the dog mode will typically follow the program 
cycle of the process control computer in the fox mode by the 
period of time it takes to transmit and then detect the 
program cycle timing signal (e.g., 20-micioseconds to 25 
20-milliseconds). 

In the event that process control computers \la-17h are 
tenqmrazily not able to communicate over the major link 14, 
each of these process control computers will continue their 
operations in a mode which assumes that they are operating 30 
alone. In this mode of operation, it should be appreciated 
that the program cydes of the process control computers 
Ma^Mb may gradually drift apart in time relative to eadi 
other. Nevertheless, as will be seen from the discussion 
below, the front end communication system 10 is designed 3^ 
to enable data recdved from the process control computers 
12a-l2b to be time aligned for real-time analysis. 

As illustrated in FIG. 1, each of the process control 
computers 12a-12b includes a stealth interface according to 
the present invention. In particular, process control com- ^ 
puter 12a indudes stealth interface circuit 16a, while pro- 
cess control computer 12b indudes stealth interface drcuit 
16^. As the stealth intei&ce circuits I6a-16b comprise 
identical circuits, these 8tealtb interface circuits are some- 
times referred to generally herein as stealth interface circuit ^ 
16. Due to the redundant natnxe of the front end oommum- 
cation system 10, a general reference number will also be 
used for other duplicative components in the system. 

The stealth intez&ce 16 provides transparent data trans- 
fers between the process control computer to which it is 50 
connected and external communication devices. In this 
regard, the data transfers are transparent to the process 
control computer 12 in that the operation of the process 
control computer is not delayed or otherwise adversdy 
affected by a transfer of its data to one or more external 55 
communication devices. The stealth interface 16 also 
enables the transfer of messages from an external commu- 
nication device without affecting the operation of the pro- 
cess control con^ter 12. The primary example of such an 
external conmiunication device is slK>wn in HG. 1 to be ^ 
comprised of a pair of redundant front end computers 
18a-182r. The front end computeis ISor-lSb are redundant, 
because communication paths are provided for enabling 
each of these front end computers to exchange data and 
messages with both of the stealth interface circuits 16a-16& ^ 

Each of the front end oonqmters 18a-18^ provide ahighly 
intelligent interface between the stealth interface circuits 
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I6a-16b and a plantAocal area network, which is generally 
designated by r^erence numeral 20. However, since each of 
the redundant frtmt end computers 18a-18/; are capable of 
conuntmicating with each of the stealth interface circuits 
16a-16b, it should be appreciated that this redundancy is not 
required, and that a single front end conqmter could be 
utilized in the appropriate applicadoa Additionally, as will 
be more apparem from the discussion below, each of the 
stealth interface circuits are capable of exchanging data and 
messages with other external conununication devices, as 
well as the front end computers 18a-186. 

As illustrated in FIG. 1, the stealth interface circuit 16 
features a dual-ported memory "DPM*' 22 which resides on 
the bus structtire of the process control computer 12. Indeed, 
in the embodiment disdosed herein, the dual-ported 
memory 22 provides the primary or only data memory for 
the process conttol computer 12. Thus, tn accordance with 
the presrat invention, the stealth' interface dxciiit 16 will' 
sdectively grant external devices direct access to the data 
memory of the process conliol computer itsel£ The dual- 
poited memory 22 inchides an internal port which is con^ 
nected to the bus structure of the process control computer 
12 and an e3ctenial port, whidi is sometimes referred to 
herein as the stealth port While the dual-ported memory 22 
could be configured to provide additional ports, the dual- 
ported memory preferably includes an arbitration ciicuit 
which enables a plurality of external communication devices 
to have alternative access to the stealth port In other words, 
only one external device will be able to use the data and 
address lines of Ac stealth port at any ^ven time when 
access to the dual-ported memory is permitted through the 
stealth port, even though more than one external device may 
ultimatdy foe coupled to the data and address lines of the 
stealth port In the present embodiment, the stealth interface 
arbitration circuit employs a fixst-come, first-serve a^spioadi 
to granting access rights. 

However; in accordance with the present invention, this 
arbitration circuit operates only on the stealth port There is 
no arbitration per se between tiie internal and external ports 
of the stealth interface circuit 16. Rather, access to the 
dual-ported memory 22 from the external/stealth port is 
available only during those times when the process control 
computer 12 caimot access the dual-ported memory. More 
spedfically, in the frmn of invention disdosed herein, the 
machine cyde of the process control con^)uter 12 is utilized 
to control access to the dud-ported memory 16. As is wdl 
known, the central process unit of any computer must fetch 
and decode one or more progrannned instructions in order to 
operate on one or more data words. In computers based upon 
the yon Neumann architecture, it typically takes several 
coni^ter dock cydes to fetch, decode and execute an 
instraction. However, in the present embodiment, the pro- 
cess control computer 12 is based cm the Harvard architec- 
ture, which permits both an op-code instruction and the 
operand data for this instruction to be fetched in the same 
clock cycle. This is because a computer based upon the 
Harvard architecmre inchides physically separate instruction 
and data stores, and eadi of these stores have their own 
address and data lines to the central processing unit Thus, 
during the portion of the dock cyde for the process control 
computer 12 that is devoted to fetching and decoding an 
instraction, die dual-ported data memory 22 may be 
accessed from the stealth port Then, during the portion of 
the clock cycle for the process control computer 12 that is 
devoted to fetdung the operand from the data store, the 
process control computer will have access to the dual-ported 
data memory 22 from the internal port. 
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In accordance with the present invention, the stealth 
interface circuit 16 etches for a sped&c transition in the 
memory dock signal of the process control computer 12 in 
order to detemiine when the stealth port may have access to 
the dual-ported data memoiy 16. In this regard, it should he 5 
understood that the process control computer itself is not 
affected by this ext^nal access, as external access is per- 
mitted by the stealth interface dicuit 16 only during those 
dme periods when the process control computer 12 ml! not 
need to access the dual-ported data mcmoiy 22. Indeed, the 
process control computer 12 does not even have to know that 
externally generated read/write activity is actually occuring 
with respect to its data store. Nevertheless, in accordance 
with the present invention, an important distinction is made 
between the ability to "read" from the dual -ported data 
memory 22 and the ability to "write" to ihe dual-ported data 
memory, as far as the stealth port is concerned. While it may 
be.desirable to enable an ejcteinal communication device to. 
read each and every memory lcx:ation in the dual-ported data 
memory 22, this tna^ not be true with respect to the ability ^ 
of an external device to write to memory locations in the 
dual-ported memory. In this regaid, the dual-ported data 
memory 22 will store not only dynamic data associated with 
the physical process being controlled, but it may also store 
other process control variables, such as analog and digital 25 
constants. 

Accordingly, the dual-ported memory 22 includes two 
'logical" memoiy sections, namely variable section 24 and 
mailbox section 26. These memory sections are logically 
distinct, because they are treated separately, even thou^ 30 
they may both reside in the same physical memory dicuit 
dtdp or chip set In the present embodiment, the mailbox 
section 26 is comprised of a set of 256 memory word 
locations (16 bits eadi) in the dual-ported data memory 22, 
and the variable secdon 24 is comprised of the remaining 35 
memory locations in the dual-ported data memory 22 (e.g., 
a block of 64k memoiy word locarions). The variable section 
24 may also include a message area for holding messages 
from ^e process control computer 12 to the front end 
computer 18. The mailbox section 26 is used to provide a 40 
specific region in memory for storing messages from exter- 
nal devices, such as the front end computers ISa-lSb, In this 
regard, it should be appreciated that the memory locations of 
the mailbox section 26 do not need to be pl^sically con- 
tiguous. While the mailbox section 26 may be configured to 45 
bold more than one message at any one time, depending 
upon the message transmission protocol employed, the 
inailbox section need only be laige enough to hold one 
complete message. These messages may be as simple as an 
external request for the process control computer 12 to 50 
gather and transmt health/status data from a remote field 
computer unit that it may obtain less frequently. A message 
may also include a command to change a particular variable 
stored in the dual-ported data memoiy 22. Additionally, the 
mailbox section 26 of the dual-poited data memoiy 22 may 55 
also be used to electionically convey a program revision to 
the process control computer 12. 

As will be more fiilly discussed below, the stealth inter- 
face circuit 16 includes a guardian circuit which prevents 
any exteroal entity from writing to any mem<»y locations in 60 
the variable section 24 of the dual-ported data memory 22. 
Thus, while some or all of the memory locations in the 
dual-ported data memory 22 may be re^ from the stealth 
port, an external endty is only permitted to vmte to the 
memory locarions in the mailbox section 26 of the dual- 65 
ported memory 22. This feature of the present invention 
provides a hardware safe-guard at the process control com- 
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puter 12 which insures that no external entity will be able to 
inadvertently interfere with the data processing operations of 
the process control computer IZ As will be more apparent 
from the discussion below, this feature of the present inven- 
tion could also be employed to grant or deny external write 
access to any particular memory location or set of memory 
locations in the dual-ported data memoiy 22. 

In order to rapidly pump data into or out from the stealth 
port, the front end communication system 10 of FIG. 1 is 
also shown to include an interface to stealth 'IFS** circuit 28, 
an interface to Q-bus "IFQ** circuit 30, and a set of fiber 
optic cables 32 interposed therebetween. The IFS circuit 28 
is connected to the stealth port of the dual-ported data 
memoiy 22, while the IFQ circuit 30 resides on die *'Q bus" 
of the front end computer 12. Due to the redundant nauire of 
the front end communication system 10. it should be ^pre- 
dated that the IFS circuit 28a is connected to the stealtti poxt 
pf dual-poited data inem(»y, 22a, while IFS dicuit 2n^.is _ 
connected to ihe stealth port of dual-ported data memory 
22^. Similarly, the IFQ circuit 30a is connected to the Q bus 
of the front end computer 18a, while the IFQ circuit 30^ is 
connected to the Q bus of the front end computer ISb. In the 
embodiment disclosed herein, the front end computer 18 is 
preferably comprised of a NflCROVAX 3400 computer 
using the real-time ELN operating system from the Digital 
Equipment Corporation ''DEC. While the VAX family of 
computers from DEC offer considerable speed and network- 
ing advantages, it should be appreciated that other suitable 
front end computers may be employed in the appropriate 
application. 

In order to permit each of the front end computers 
ISa-lSb to conduct bi-directional communications with 
both of the stealth interface circuits 16a-16^, the fiber optic 
cables 32 actually indude two s^ of send and recdve 
optical fibers (e.g., 62.5/125/0.275NA type fibers). How- 
evei; the sqiarate send and receive optical fibers for each of 
the front end computers ISa^lSb are rqiresented as single 
channels in FIG. 1 for sim^didty. Thus, fiber optic channd 
34a includes a separate optical fiber for sending information 
from the front ^ con^ter 18a to the stealth interfrice 
circuit 22a and an optical fiber for receiving information 
from the stealth inteifece circuit 22a. Similariy» the fiber 
optic chaimd 36a includes a separate optical fiber for 
sending information from the front end computer 18a to the 
stealth intei&ce dicuit 22b and an optical fiber forieodving 
informatimi from the stealth interface dicuit 22^. This 
arrangement of q)tical fibers is also duplicated for the front 
end computer 18^. 

In the present embodiment, the combination of the IFS 
circuit 28, the IFQ circuit 30 and the fiber optic cables 32 
provide an optical transmission interface which permits the 
front end computers 18a-18^ to be remoted located from the 
process control computers 12a-12^. For example, in this 
embodiment it is possible for the front end computers 
18a-18^ to be located up to 2 km from the process control 
conputers 12a-12ib. Additionally, it should be noted that the 
Hbcr Distributed Data Interface "FDDF' protocol may be 
used to transmit information between the IFQ and IFS 
dicuits over the fiber optic cables 32. 

The IPS circuit 28 indudes the appropriate address and 
data buffer dicuits (not shown) fbi tiansfening information 
to and from the stealth port of the dual-poned data memory 
22. The IPS dicuit 28 also indudes a transfer map 37 whidi 
enables data from selected locations in the dual-ported data 
memory 22 to be gathered and transferred as one contiguous 
block of data. The transfer map 37 may be comprised of a 
static RAM with suffident address storage capability to 



12/23/2003, EAST Version: 1.4.1 



5,568,( 

9 

gather data from all of the available memory locations in the 
dual-poited data memory 22. 

Addtionally, the IFS circuit 28 includes a separate trans- 
mitter and receiver circuit for each of the two front end 
computers ISa-lHk such as transmitter 38a and receiver 5 
40a. Thz transmitter is adapted to convert parallel data 
words (e.g., 16 bits) from the stealth part into a serial bit 
stream suitable for transmission over one of the fiber optic 
cables 32. Similaiiy, the receiver 40a is adapted to convert 
a serial bit stream from the front end computer 18 into a 
parallel data word for transmission to the stealth port 
through one or more of the IFS circuit buffers. A corre- 
sponding set of transmitters and receive are also provided 
in the IFQ circuit 30, such as transmitter 386 and receiver 
4Qb. From the above, it should be appreciated that the use of 
two sets of transmitter-receiver pairs oiables data to be 
transferred and/or received simultaneously between both of 
- the IFS circuits 28a-28i» and both of the IFQ- circuits 
30ar-3Qb. Thus, for example, the IFS circuit 28 is capable of 
simultaneously transmitting data acquired from the process 
contiol computer 12a to both of the front end cdmputers 
180-1821. 

While not shown for iUustFation simplici^. it should 
appreciated that a laser or LED light source is interposed 
between each of the transmittera(e.g.,transniitters38a-38^) 25 
and their respective optical fibers. Similarly, a photo-detec- 
tor is also interposed between eadi of the receivers (e.g.> 
receivers 40o^0&) and their respective optical fibers. For 
example, these light converters may be comprised of a pair 
ofAr&TODL200 scries converters. While fiberoptic cables 
are preferred for their speed, low erroi rate and security 
advantages over mediums such as coaxial cable, it should be 
understood that that other suitable data transmission medium 
could be employed in the appropriate appUcaSion. 

In the present embodiment, the transmitters andrecievers 35 
in the IFS and IFQ circuits are prefa::^ly comprised of a 
high-performance Gallium Arsenide chipset, such as the 
"Gazelle" GA9011 transnutter and GA9012 receiver from 
Triqaint Semiconductor Jnc, 2300 Owens St, Santa Qara, 
Calif. These particular transmitters and receivers permit data 40 
tcansmissian rates in excess of 200 Mbits/second. Ihese 
transmitters and receivers utilize a 40-bit wide parallel bus 
which enables Hata to be encoded into a 50-baud word using 
FDDI-standard ^/5B encoding. In this encoding, 4-bit data 
nibbles are translated into a S-baud code symbol. Accord- 45 
ingly, the 4B/5B encoding produces ten 5-beud symbols 
from ten 4-bit data nibbles in order to comprise a data frame. 
The GA9011 transmitters also convert the serial stream from 
a Non-Return to Zero "HBtZ" format to a I^n-Retum to 
Zero, Invert on ones ''NRZT* format, which combmes the 50 
transmission of data and clock signals into a single wave- 
form. The NRZE waveform denotes a logical one with a 
polarity transition and a logical zero with no transition 
within the bit-time-&ame. These logical ones and zeros are 
called bauds, and each group of five bauds are called a 55 
symboL R)r example, a *'0000** 4-bit binary input will be 
converted to a "111 KT 5-baud binary symbol output, while 
a "1011" 4-bit binary input will be converted to a "10111" 
5-baud binary symbol output 

The use of 4B/5B encoding and NRZI formating combine 60 
to substantially enhance the reliability of high-speed data 
transmissions over the fiber optic cables. The GA9012 
receivers have built in dock and data recovery (e.g, NBZI 
to NRZ conversion), aiKi they also monitor the incoming 5B 
symbols for validity. In dus regard, the 4B/5B encoding 65 
creates a number of invalid symbols ^^nch may be checked 
for at the GA9012 receivers. As the presence of noise or 
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jitter across the fiber optic link could cause one or mme of 
the bauds to change to an unintented value, the detection of 
invaHd symbols reduces the possibility of a transmission 
error going undetected. 

As an additional layer of protection ftom potential errors, 
data transmissions firom the IFS dicuit 28 are formed into 
complete data frames, which are comprised of the data to be 
transfared (i.e., the 40-bit input data frame), a 16-bit 
destination address field, a 4-bit control code field and a 
4-bit error detection code field. These complete data firamcs 
arc preferably separated from each other on the fiber optic 
link by at least one sync firame. As potential physical link 
errors may have a burst or clustering nature, the error code 
needs to be able to detect up to four contiguous bit errors. In 
this regard, a Longitudinal Redundancy Check "LRC code 
is employed to prevent masked errors from potentially 
corrupting subsequent data processing operations. This type 
of error code is also referred to as^ a "Longitudinal Parity 
Check", In a LRC code, a 4-bit nibble composed of parity 
bits is generated and insmed into the encoded data stream 
ibr a predetermined number of data nibbles in the encoded 
data stream, as shown below: 
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where pi=bil Xor bi2 Xor . . . Xor bi9, and i=*it location 1 
to 4. Thus, the ith bit of this parity check character checks 
the ith information bit position in data nibbles 1 througih 9 
under even parity conditions. The combination of the LRC 
error checking, the 4B/5B encoding and the NZRI conver- 
sion enable the from end communication system 10 to 
provide a targeted Baud Error Rate **BER" of lE-lZ While 
a Cyclic Redundancy Check "CRC code could be 
emplc^ed in lieu of the LRC code, the more complicated 
CRC code would also increase the complexity of the IFQ 
and IPS dicuits. AdditiouaUy, the LRC coding more readily 
pennits dual fiber optic channel signal transmissions 
between the IFS and IFQ circuits, and the intrinsic sy chroni- 
zation featores of the the Gazelle transmitters 38a-38fr and 
receivers AOa-AQb may be used to frame the LRC based 
protocols. 

The IFQ circuit 30 indudes a microprocessor 42 (e.g., an 
Intel 801 86 chip) which provides the data pump for the front 
eiKi computer 18. The microprocessor 42 is not only respon- 
sible for all IFCyiFS protocol control and relaying data from 
the process control computers \la-V2b to a destination on 
the network 20, bit it is also responsible for cOTtcoUing the 
mtcgrity of write activities to the IPS and IFQ circuits. For 
example, the miciopiDcessor 42 may be used to program the 
transfer map 37 in the IFS circuit 28, so that only a particular 
sub-set of data in the dual-ported data memory 22 may be 
gathered and transmitted to die ficont end computer 18, if less 
than all of the available variables (e.g.. input/output values, 
alarms and events) is desired. In this way, the actual coments 
of the transfer map 37 may be dependent upon a specific 
process control applicatiorL 

All signal transmissions between the IFQ circuit 30 and 
the EFS circuit are under the control of IFQ dicuit micro- 
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processor 42. In this regard, there are three types of data 
transmissions from the IFQ circuit 30 to the IFS circuit 28, 
namely "load transfer map", "scaid command messages'* and 
•'receive data". The load transfer map transmission will 
enable the IFQ circuit 30 to load the transfer map 37 of the 
IFS circuit 28 with the specific variable addresses which will 
steer the data memory transmit bursts from the IFS drcuiL 
The receive data transmission will cause the IFS circuit 28 
to return the requested segment of memory from the dual- 
ported data memory 22. 

A command message transmission will start with a Write- 
Lock request to the IFS circuit 28. Assuming that incoming 
buffer is free, the IFS circuit 28 will assert a Write-Lock on 
the mailbox secdon 26 of the dual-ported data memory 22, 
and return a positive acknowledgement to the IFQ circuit 30. 
The IFQ circuit 30 may then transmit its message with the 
assurance that no other device will be able to write to the 
mailbox section '26 until its' message has been 'dompletely 
stored and preferably read by the process control computer 
12. However; a time limit may be miposed on the Write Lock 
to ensure that the flow of communications is not impeded by 
one of the external enddes coimected to the stealth interface 
circuit 16. It should also be appreciated that message trans- 
missions should not take place during any time in which a 
data burst should be received from the IFS circuit 28. 

As another measure of data transmission protection, the 
IFQ circuit 30 will cause the IFS circuit 28 to read back a 
message transmitted to and stored in the mailbox section 26 
of the dual-ported data memory 22 in order to be sure that 
the message was transmitted and stored conrectly. Once the 30 
IFQ drcuil 30 determines that the message has been accu- 
rately received and stored, then the IFQ circuit will cause a 
flag to be set which will signal the process control computer 
12 to pick up the new message. In the event that this data 
verification fails, then the entire message transmission pro- 
cess will be repeated. 

The IFQ circuit 30 also includes a process data bufier 44, 
which is shown as block in FIG. 1 for illustration simplicity. 
However, the process data buffer 44 should include sufBdent 
memory capadty to store a separate data table for each of the 40 
process control computers ^la-Hb (e.g., 262,144 bytes). 
Each of diese data tables will include both the SDSS and 
DSS data transmissions. Additionally, a DMA bufiPer (not 
shown) may also be provided to allow some elasticity in 
processing the data bdng received. In this regard* it should 45 
be noted that the both djc IFS circuit 28 and the IFQ circuit 
30 are configured to facilitate bi-direcdonal Direct Memory 
Access 'DMA" transfers between die IFQ circuit 30 and the 
Q-bus of the firont end computer 18. In this way, the central 
processing unit 45 of the front end computer 18 does not 50 
need to devote substantial dme to processing data transfers 
to and &om the IFQ circuit 30. Accordingly, the DMA buffer 
is preferably used as a bucket brigade area to perform DMA 
transfers on blocks of data firom the process data buffer 44 
(e.g., 8K bytes at a time) to a suitable memory residing on 
the Q-bus of the front end computer 18. 

The use of DMA transfers also enhances the ability of the 
front end communication system 10 to achieve the goal of 
making available real-time data from the process control 
computers 12a-Vlb to one or more computers on the net- 
work 20. More specifically, the ftont end communication 
system 10 is designed to request, receive and answer ne^ 
work queries on both pr&-lhik and post-arbitrated data from 
each of the process control computers Mct-Hb witinn a 
one-second time resolution. For example, in diis particular 65 
embodiment, each of the process control computers 
\2etMb will issue a Sequence Data Stable Strobe "SDDS" 
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signal in every one-second program cycle, which indicates 
that approximately 1024 (16 bit) words of prc-link dynamic 
analog/digital input data is stable and available in the 
dual-ported data memory 22. This specific data set is 
referred to as pre-link data, as this data has not yet been 
arbitrated between the process control computers 12a-12b 
via data transmissions across the major link 14. Subse- 
quently, in the same one-second program cycle, each of the 
process control computers I2a-12b will issue a Data Stable 
Strobe *T)DS" signal, which indicates that a complete set of 
post-arbitrated input and output data is stable and available 
in the dual-ported data memory 22. Thi^ data set is referred 
to as post-arbitrated, as the input values will have been 
arbitrated or resolved by diis point in the program cycle. In 
the present embodiment this post-arbitrated data set may be 
comprised of up to 65,536 (16-bit) words, as it will include 
both input and output values (and any other variables stored 
in the dual-potted data'memory 22). '"^ ' 

It should also be noted at this pomt that one of the first 
functions in the program cycle of the process control com- 
puters Hor-lZb is to make ou^t value decisions firom the 
post-arbitrated input data obtained in the inmiediately pre- 
ceding program cycle. Accordingly, it should be appreciated 
that the post-arisitrated data set will include the arbitrated 
input values ficom the current program cyde and the output 
values from the immediately previous program cyde. 

It is also important to understand that the fimction of 
obtaining a copy of the pre-Iink and post-aibitrated data sets 
cannot be permitted to delay the operations of the process 
control conqniters 12a-126. Urns, for example, the fi^ont 
end communication system 10 must be sufildently fast to 
obtain a copy of the pre-Iink data sets before the process 
control computers 12a-12^ need to have the ability to 
change one or more of these data values through the arbi- 
tration process. Accordingly, in the context of the present 
embodiment, the fmnt end commnni ration system 10 needs 
to be able to acquire a pre-Iink data set within ten millisec- 
onds of the time that the SDSS signal vras initially asserted 
in order to have the assurance of data stability. Similarly, the 
front end communication system 10 needs to be able to 
acquire a post-arbitrated data set within fifty milliseconds of 
the time that the DSS agnal was initially asserted. In this 
regard, it should be eypreriated that each of these data sets 
need to be independentiy acquired from both of tiie process 
control computers 12a-12h by each of die finont end com- 
puters 18a-18^. Additionally, each of die front end com- 
puters 18a-18^ must also be able to send messages to the 
one or both of die process control computers I2a-12b 
during time periods outside of die SDSS and DSS data 
acquisition windows. 

In order to further fadliate the ability of the front end 
corrtrmintcation system tt> acquire the SDSS and DSS data 
sets without any data transfer blocknecks, and also provide 
the ability to group and time align the data sets being 
received, each of the firont end computers 18a-18^ inchides 
a set of at least three reflective buffers for each of the process 
control computers Hor-Vlb, Each of these logically distinct 
reflective buffers or shadow memories may reside in the 
same physical memory chip or chip set in the firont end 
computer 18. As shown in FIG. 1, the set of reflective buffers 
contained in the front end computer 18a is generally com- 
prised of a ZERO bufiier ^TL** 46a for the Left process 
conttol GODopiter 12a; a ZERO buffer "ZR" 48a for the 
Right process control computer Vb, a ONE bufo "^L" for 
the Left process control conq)uter, a 0>rB buffer "OR" for 
the Right process control counter, a TWO buffer *TL" for 
the Left process control computer, and a TWO buffer *TR'* 
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for the Right process control computer. Additionally, it 
should be understood that a corresponding set of reflective 
buffers are contained in the front end computer 18^, such as 
the ZERO buflFer "ZL" 46b for the Left process control 
computer Ua and the ZERO buffer 'TR" 48i» for the Right 
process control conq}uter 12^. 

The IFQ circuit 30 writes to these left and right buffers in 
a **round Tobin'* foshion using DMA data transfers. In other 
woids, the IFQ drcuit30 vnll fiU the ZERO buffer 46a with 
pre-Unk and post-arbitrated data of a particular process 
control cyde finom the Left process control conqiuter 12a. 
Then, when pre-link and post-aifoitrated data for the next 
process control cycle is received fimzn the Left process 
control computer 12a, the IFQ circuit will increment to die 
ONE buffer SOa in order to store this data. Similariy. the IFQ 
circuit 30 will um to the TWO buffer S4a when pre-link aiid 
post-aibitrated data for die third process OTntrpl cycle is^ 
received from the Left process control computer 12a in 
Older to store this data. Then, when pre-link and post- 
arbitrated data for the forth in time process control cycle 
from the Left process control con^uter 12fl is to be stored, 
the IFQ circuit 30 will return to address the ZERO buffer 
46a for data storage. Of course, it should be appreciated that 
the IFQ circuit 30 will employ the same round robin 
sequence for individually transfaing pre-link and post- 
arbitrated data to the three reflective buffers ASa, 52a and 
56a that are used for the Right process control computer 

m 

For purposes of illustration, HG. 1 shows three reflective 
memory buffers (46^, 50a and 54a) fw the Left process 30 
control computer 12a, and Ihree reflective memory buffers 
(48a 52a and 56a) for the Right process control computer 
12^. However, as the SDSS and DSS data transfers are 
treated as independent DMA events, the reflective memory 
buffers preferably indude distinct reflective noemory buffers 35 
for each of these events. Accordingly, a total of twdvc 
reflective memory buffers are prefersily provided in the 
fomt end computer 18. Additionally, each of these reflective 
memory buffiers arc individually tracked, so that the ordering 
of these buffers do not necessarily have to follow the 40 

regimen shown bdow: 

Second N: (ZERO^SS-L ZERO-DSS-L ZERO-SDDS-R 

ZERO-D5S-R) 
Second N+1: (ONESDSS-L ONE-DSS-L ONE^DDS-R 

ONE-DSS-R) 

Second N+2 (TWO-SDSS-L TWO-DSS-L TWO-SDDS-R 
TWO-DSS-R) 

Rather, the ordering of these buffers could also proceed 
under other regimens, such as shown bdo w; 
Second N: (ONE SDSS-L TWO-DSS-L ZERO-SDDS-R 50 
ONE-DSS-R) 

Second N+1 : (JWO-SDSS-L ZERODSS-L ONE-SDDS-R 
TWO-DSS-R) 

Second N+2 (ZERO^SDSS-L ONErDSS-L TWO-SDDS-R 

ZERO-DSS-R) 

It is important to understand that the corresponding left 
and right reflective buffers (e.g., buffers 46a and 48a) will 
generally not become filled at the same time, as the program 
time line of the process control computer in the dog mode 
should follow the program time line of the process control 60 
computer in the fox mode by a predeterminable period of 
time (e.g., 2(Kinicroseconds to 20-milliseconds). However, 
yhpi ff* time Hnes may become considerably separated in the 
event that communications across the major link 14 are not 
possible, as mentioned above. Even when the left and right 
SDSS or DSS signals are asserted at near the same time, the 
delays lequiied to transfer this information to the IFQ circuit 
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3D and then transfer this information into the appropriate 
reflective memories may result in a wider time skew 
between these events as seen by the application software of 
the front end computer 18 than as seen by the process control 
computer and IFS circuit hardware. Nevertheless, it is the 
lesponsibili^ of the front end computer 18 to ensure that the 
data sets ultimately made available to the computer netwodc 
20 represent data from the process control computers 
lla-llb in the same program cyde (e.g., a one second 
period). In this regard, the aj^lication software of the front 
end computer 18 includes a procedure, referred to as "MI 
Sync**, which groups individual data transfer events into a 
cohesive set of bi^CTS tiiat represent a "snapshot" of the 
pre-link and post-arbitrated data for a particular process 
control cyde. 

The ML Sync procedure uses a set of reflective memory 
boffa management structures (MLJIMBMS) to trac^^ the *^ 
status of ynmn^'^g data transfers. When the IFQ circuit 
driver software signals to fhe MI Sync procedure tiiat a 
DMA transfer has completed, MI Sync records the required 
information in the appropriate MI_RMBMS data stru^ure. 
When Ml Sync determines that a complete set of buffers has 
been received and stored (i.e., left SDSS, right SDSS, left 
DSS and right DSS), it updates a global data structure 
(MI__RM_DAIA) with die pointers to the newly received 
da t? These pointers are copied from the MI_RMBMS data 
structure. Accordingly, MUIM^DATA inchides the point- 
ers to the currently available "complete** or time aligned set 
of reflective memofy buffers. Depending upon where the 
front end counter 12 is in the round robin procedure, the 
most current time aligned set of reflective memory buffers 
may be. TWO buffers 54a and 56a at one time interval the 
buffers SOkz and 52a at die next time interval, and the 
2XR0 buffers 46a and 48a at the following time intervaL In 
the event that the SDSS or DSS data from one of the process 
control computers 12a-12Z> is not received by the IFQ 
dicuit 30, MI Sync will still maintain time aligrunent by 
using an a ppropriate timeout (e.g., 700 millisecands) for 
updating the MfJtM^DATA pointers. An indication will 
also be provided as to wMdi buffer or buffers are \mavail- 
able. 

The buffer pointers within MI_RM_DAIAare protected 
by a mutual exclusion semaphore or "mutex". MI SYNC 
requests this mntex. before copying the new pointers to 
MLJIMJ) ATA and releases it immedi atcly after the copy 
is complete. When a network entity needs to access reflec- 
tive memory data, a copy of the M_JftM.J> ATA pointers is 
made by requesting the mutex-, copying these buffer pointera 
to a local <^wtii structure, and then releasing die mutex. Since 
the application for querying or reading the data uses a copy 
of the pointer, contention for the mutex is minimized, and 
MI Sync will be able to update MLJRMJ>ArA with new 
pointers eis soon as the next complete set of data has been 
stored. In this regard, it is important to note that this method 
will enable the reading application to still access the same 
set of reflective memory buffers while MI Sync updates 
MI_RM_DArA with new pointers. Since reading applica- 
tions will access the most current time aligned set of 
reflective memory buffers, it should be understood that a 
reading application could be accessing one set of reflective 
EQcmory buffers (e.g., the TWO buffers 54a and 56a), while 
a subsequem reaiding application could be given access to 
another set of reflective memory buffers (c.g., the ONE 
buffers 50a and 52a) once MI Sync iqxlates MLJ^— 
DATA with new pointers, i 
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It should also be understood that applicadoss which 
access the reflective memories will be able to run to comple- 
tion before the referenced buffers are overwritten with new 
incoming data. In one embodiment of the front end com- 
munication system 10, applications requiring xefiective 
memory data are assigned execution priorities high enough 
to allow them to run to completion in less than one second. 
However, it should be appreciated that the &ont end com- 
puter 18 could be configured with additional sets of buffers 
to allow the development of an application that may take 
longer to nm to completion. 

It should also be s^pteciated from the above that the use 
of the front end computers 18a-18i> also enables the com- 
munication system 10 to have the necessary intelligence to 
answer specific data requests. Hie use of the front end 
computers 18a-186 also permit a rapid check to be made 
that the process control computers ITa^tZb are in fact 
continuing to send real-time data. Additionally, the front end 
'computiBrs'18a^l8& are "also preferably pxbgranamed to 
make detemoinatiotts as to whether read or write requests 
from the process control computers 12o-12fr should be 20 
granted with respea to the enti^ on the computer network 
20 which has forwarded the request As will be discussed 
more fully below the £ront end computers 18a-18fr contain 
both a security table snd two permissive tables in their 
memories for facilitating these detenniiiations. The security 25 
table is used determine whether communications will be 
permitted at all with various entities on the computer net- 
work 20, while the permissive tables are used to evaluate 
write command messages finm an entity on the computer 
networic whidi could affea specific locations in the dual- 30 
ported data memories 22a~22b. 

The front end con^)uters 18a-18b may also utilize at least 
one set of additional refiective buffers, such as CcBrelate 
buffers 58a and 60a In light of the fact diat the DSS data set 
will contain the post-arbitrated input value data from the 35 
current program cycle and the output value data that was 
based upon the post-arbitiated input values of the immedi- 
ately preceding program cycle, it may be desirable to 
correlate into one data table the output values for a particular 
program cycle with the input values used to decide these 40 
output values. Accordingly, the £ront end computer 18a may 
employ the Correlate buffers 58a and 60a to store a copy of 
the post-arbitrated input values from the current DSS data 
set, and then wait for the alignment cf the next DSS data set 
in Older to store a copy of the output values finom this 45 
subsequent data set in the same Correlate buffers. In this 
regard, it should be appreciated that this copying procedure 
will be made from the most current time aligned set of 
reflective memory buffers. Thus, for example, FIG. 2A 
shows a diagranmiatic example of a data table in a time 50 
aligned buffer, while FIG. 2B shows a similar ^cample of a 
data table in the Correlate buffer '^CL**. In any event, it 
should be understood that the time alignment capabilities of 
the fiont end computers ISa-lSb provide a powerful diag- 
nostic tool for analyzing both the operation of the process 
control computers \2a~V2b and the physical process being 
controlled. For example, the aibitradon poformed with 
respect to the iiqmt data values may be analyzed for hc&i of 
the process control computers 12a-12b, as pre-lixik and 
post-artntiated input data values are time aligned and made 60 
available by the front end computers 18a-18fr. A further 
discussion of these time alignment methods may be found in 
the Allbery cl al. patent application Sen No. 08/273,773, 
now U.S. PaL No. 5,519,603, filed on even date herewith, 
entitled "Intelligent Process Control Commiinf cation Sys- 63 
tern and Method". This application is hereby incorporated by 
reference. 
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Ibe computer netwoik 20 is shown in FIG. 1 to generally 
include a direct control segment, a process information 
segment and a connection to a Wide Area Network ''WAN". 
Each of these network segments preferably employ Ethernet 
compliant mediums and IHEE 80Z3 compatible communi- 
cation protocols. The direct control segment is comprised of 
dual Plant Area Networics *PAN-1** and "PAN-2", while the 
process information segment is comprised of Plant Area 
Network *TAN-3'*. At least one bridge 62 is used to inter- 
connect the PAN-1 and PAN-2 segments. Additionally, at 
least one bridge 64 is used to interconnect the PAN-2 
segment with the PAN-3 segment Another bridge may be 
used to interconnect the PAN-1 segment with the PAN-3 
segment One or more bridges 66 may also be used to 
intercomiect the PAN-3 segment with the WAN. 

It should be noted that the front end computer 18a is 
coupled to the PAN-1 segment, while front end computer 
186 is coupled to the PAN-2' segment While a smgle plant 
area network could be provided, the use of dual plant area 
nttworks shown herein have certam communication and 
redundancy advantages over a single plant area network. In 
this regard, the bridges will typically filter communications 
by Ethernet hardware addresses to reduce the amount of 
traffic on each of the network segments. For example, a 
communication between the security server 68 and the 
operator station 70 will not be transmitted across the bridge 
62 to the PAN-1 segment The bridges 62-66 also provide a 
layer of physical separation between the netwoik segments, 
so that if a fault occurs on one of the netwoik segments, then 
the fault will be prevented tnm adversely affecting the other 
n^ork segments. Additionally, one or more of the bridges 
are also used to filter communications on the basis of 
specific data communication protocol identifications to 
enhance the overall security of the network 20. For example, 
the bridge 64 may be us^ to prevent tiie transmission of 
messages employing the Ethernet compliant protocol used 
by the security server 68 from one of the PAN-2 and PAN-3 
segments to the other. Similarly, the bridge 64 may be used 
to prevent the transmission of messages employing the 
Ethernet con^liam protocol used to write information into 
the mailbox secdon 26 of the dual-ported data memory. 

The computer network 20 also includes a plurality of 
operator woricstarions, such as operator wodcstations 70 and 
72. As shown in FIG. 1, these operator woikstadons may be 
located on differrat netwoik segments, and the number of 
operator worlcstations will be dependent upon the particular 
process control application. One or more of these operator 
wodcstations may be used to view or analyze data received 
from the front end computers 18a-18^. Additionally, these 
operator workstations may be used by an authorized control 
room operator to transmit the appropriate histructions to the 
front end computers 18a-18fr which will cause a command 
message to be conveyed to the process control computers 

The netwodc 20 further includes a process information 
conq)uter 74 which may perform a variety of functions. For 
example, the process information conq)uter may be used to 
store a Mstoiy of process data received fipom the front end 
Gon^uters I2a-12b. Addidonally, the process information 
computer 74 may be used to store the compilers needed to 
change the computer programs residing in the finont end 
con^uters 18a~182)>, as well as the programs residing in the 
process control computers ^2a~^2b. The process informa- 
tion computer 74 may also include loading awnstant soft- 
ware for transfering operating program revisions to the 
process control computers llo-Vlb. The network also 
includes a control room data manager computer 76, which 
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may be used to perfonn various file serving and tracking 
funcdons among ibe computers connected to the network. 

An expert download assistant 78 is also provided to 
facilitate program revisions in the front end computers 
18a-18b. In contrast, the loading assistant software in the 5 
process information computer 74 may be used to cause a 
new computer pr o gyam to be downloaded to one of the 
process control computers I2a-12b through at least one of 
the front end conqniteis 18a-18d and the mailbox section 26 
of the dual-poited data memory 22. While the download 10 
assistent 78 may be resident in its own n^ork computer, 
the download assistent could also reside in a suitable net- 
work computer, such as the process information system 
computer 74. 

The loading assistent may also be used to cause the 15 
process control computer with the revised program to start 
operating in a mode which will enable real-time testing of 
the revised program. In this mode of operation, the process 
control computer will redeve input data and make output 
decisions, but these output decisions will not be transmitted 20 
to the field instrumentation devices. This will permit the 
plant engineer to evaluate the revisions, and even make 
further revisions if necessary before instrucdng the process 
control computer to assume an active mode of operation, 
such as the fox or dog modes. 25 

Whenever it is decided that the manner in which the 
process control computers 12^12^ perform their particular 
manufacturing control operations should be changed 
through a program revision, the revised program for the 
process control computers I2a-12b must be compiled from 30 
the the source progrBxnining language to an exeoitable file 
or set of dynamically linked files. In die preferred embodi- 
ment, a unique identifier is embedded into the executable 
code during the compile procedure. This identifier repre- 
sents (or is otherwise associated with) the version of the 35 
revised software for the process control computers 12ct-Mb. 
The program version identifier is used to ensure proper 
alignment between the venion of the program being 
executed by the process control compute 12a-126 and the 
files/tables in the fitmt end computers 18a-18fr used to 40 
evaluate write command messages to these process contiol 
computers. 

As mentioned above, each of the from end conqmten 
ISa-lSb indude two permissive tables, such as the 'TL" 
permissive table 80a f(xrthe Left process control computer 45 
12a, and the 'TR** permissive table 82a fior the Right process 
control computer 12b. These permissive tables are used by 
the front end computers 19a-lSb to determine whether any 
entity on the computer network 20 should be permitted to 
change the contents of specific locations in the dual-ported SO 
data memories 22a-226. However, it should be appreciated 
that the data structure of the permissive table could be 
constructed to protect the contents of any memory location 
or area in the process control computes 12a-l2b ¥^iich 
could altered from a write command message. 55 

When a message is received by a front end computer 18 
from an entity on the netwoik which uses the write com- 
mand protocol, such as a write command message from one 
of the operator woricstaiions 70-72, a "data_write_check" 
sub-routine will be called by the central process unit of from 60 
end computer. The data_wriie_check routine will perfonn 
a csomparison between the variable elements identified in the 
write command message and the variable elements in the 
permissive table for which changes should be authorized or 
denied. For example, if the front end computer 18a lecdves 65 
a write command message which seeks to mcrease/decrease 
an analog gain "AG" fiewtor used by the program being 
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executed by the Left process control computer 12a; the firont 
end computer 18a will look up the element word for this 
particular AG factor in permissive table 80a and determine 
if a bit has been set to deny the authorization needed to 
change this factor. If authorizarion is denied, then the front 
end computer ISa will not transmit the write command 
message to the process control computer 12a. Instead, the 
front end computer 18a will preferably send a reply message 
to the host entity on the computer network 20 that originally 
sent the write command message, to inform the host entity 
that a write error has occured. 

From the above, it should be appreciated that the PL and 
PR pennissive tables stored in the front end computers 
lia-W? need to be dosely coordinated with the version of 
the program being executed by each of the process control 
computers 12a-i2b. In order to ensure that each of these 
penxdssive taUes ^ sufficiently matched with the programs 
being executed by their rospective pix^ contnd comput- 
ers lla-ilb, the program venion identifier discussed above 
is also embedded into these permissive tables when they ate 
compiled. This program version identifier may then be sent 
to the process control computer 12 along with a verified 
write command message, so that the process control com- 
puta 12 will be able to confirm that the commanded variable 
change is appropriate to its program versioa 

To enhance the security of this verification process, the 
program version identifier from the permissive table is 
preferably altered by a suitable encryption algorithm before 
it is transmitted with the write command message to the 
mailbox section 26 of the stealth interface circuit 16 for the 
intended process ccmtrol computer 12. The process control 
computer 12 receiving the write command message will then 
decode this version identifier, and compare it with the 
program version identifier embedded in its program to 
determine if their is a match. If the program version iden- 
tifiers match, then the process control computer 12 will 
p er fo rm the commanded variable change. Otherwise, the 
process control computer 12 will respond by discarding the 
write command message and transmitting an i^ipropiiate 
error message to the front end computer 18. 

The PL and PR pennissive tables are also preferably 
provided with adata strucnue which permits write commaxKl 
authorization determinations to be made for specific host 
entities on the con^rater networic 20.* In other words, the 
permissive table 80a may penndt particular variable changes 
to be made from operator woricstation 70 that are not 
allowed to be made from operator wodutation 7Z Thus, the 
pennissive tables may have sevetal station specific table 
sections, as weU as a default table section. Nevertheless, the 
ability may also be provided to bypass a check of tiie 
appropriate permissive table, through the use of a suitable 
password at a host entity on the computer network 20. 
However, in this event, a log should be created and stored in 
the front end computer 18 which will identify this transac- 
tion and the identity of the host entity (e.g., a CPU identi- 
fier). 

It should be noted that the use of sqparate permissive 
tables for the process control computers 12a-12t has the 
advantage of enabling a program downloading operation to 
be performed on one of the process control counters while 
the other process control computer continues to actively 
control a manufacturing process. Indeed, even after a revised 
program has been successfully transferred to the process 
control computer 12a (and the corresponding permissive 
table 80a loaded in front end computer 18a), the use of 
separate permissive tables will enable the front end com- 
puter 18a to evaluate a write command message intended for 
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Che process control computers 12a which is distinct from a 
write command message intended for the process contro] 
computer 12b. While it may not be advisable in some 
circumstances to run the process control computers IZitAZb 
with dififerent program versions in an active control mode, a 
passive operating mode may be used for the process control 
computer with the revised program while the other process 
control computer is in an active control mode. la such an 
event, the plant engineer may use the download assistant 78 
during final program testing to issue write command mes- 
sages for the passive process control computer, while 
another plant engineer issues write command messages to 
the active process control computer through the same front 
end computer 18. 

The security server 68 is used to inform each of the 
computers residing on the network 20 who they may com- 
municate with on the netwoik. In diis regard, the security 
server stores a specific secinity table for each of the valid 
entities on tlie network. Each of these seciirity tables will 
identify which of the networic computer entities a particular 
netwoik computer may conduct bi-directional communica- 
tions. For example, in the case of the front end computers 
ISa-lSb, one of the first functions on start up wai be to 
obtain their respective security tables ficom the security 
server 68. Accordingly, the security server 68 is shown in 
HG. 1 to store a security table "SI** for the fipont end 
computer ISrz, and a security table "S2" for the front end 
computer ISb, While the security server cotild also be used 
to send the PL and PR permissive tables discussed above to 
the front end computers 18, it is preferred dial newly 
compiled permissive tables be received from the download 
assistant 78. In this regard, it should be noted that the 
download assistant is also preferably used to send the 
transfer map 37 intended for the IFS circuit 28 to the front 
end computer 18 along with the appropriate permissive 
table. 

In order to assure the integrity of security table transfers 
from die security server 68 to the front end computers 
ISor-lSb, a method of validating these transfers is utilized in 
the present embodiment In accordance with this method, the 
front end computer 18 will embed a random or pseudo- 
random number in a broadcast network message to request 
that the security server 68 identify itself as a prelude to 
sending the appropriate security table. The security server 
will respond to this request with an acknowledgement 
message that utilizes a security protocol identifier which is 
different than that used with oUier types of network mes- 
sages. Importantiy, this acknowledgement message wiH 
include the random nimiber from the front end computer 18 
in a transfonned state. In this regard, a suitable encryption 
algorithm may be used to alter the random number, and the 
random number should have a bit length which will noake it 
difficult for any unauthorized entity to decode (e.g., 32 bnts). 
Upon receipt of the acknowledgement message, the fiiHit 
end computer 18 will then either reverse the encryption 
process to obtain the landom lumber or enciypt its origiiial ss 
random munber to make a comparison between the trans- 
mitted and received random numbeis. Assomiug that these 
random numbers match, then the front end computer 18 will 
determine that die acknowledgement message has been 
received from a valid security server, and the traosfiBr 60 
process will proceed. 

In order to further enhance the security of communica- 
tions between the front end computers 18a-18& and other 
entities on the conq)uter network 20, an additional validation 
procedure is preferably implemented. More specifically, this 6S 
additional validation procedure is utilized to permit com- 
munication between tiie front end computers 18a-182» and 
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any network entity for which a write command message may 
be recogiuzed. In accordance with this validation method, 
the front end computer 18 will send a contract offer message 
on a periodic basis to the Ethernet address of each host 
entities on die network 20 which it recognizes as having a 
write message capability. Each of these contract offer mes- 
sages wfll include a random or pseudo-random number or 
other suitably unpredicable message component In order for 
a host entity to able to have its write command messages 
recognized, it must respond to its contract offer message 
withk a piedetermined period of time (e.g., 10 seconds) 
with a contract acceptance message that includes a trans- 
formed version of this unpredicable message component 
While any appropriate encryption algorithm be used for diis 
puipose, it is preferred that diis encyiption algorithm be 
different than die. encryption algorithm used to validate the 
transfer of a security table from the security server 68. 
Additionally, it should be noted diat the security message 
protocol may be used for diese contract oiGfer and acceptable 
messages. 

The front end computer 18 will then deciypt die random 
number embedded in the contract acceptance message to 
determine if a time limited communication contract will be 
esUiblished between the front end computer and this host 
entity at the specific Ediemet address for the host entity dial 
was contained in the security table. This time limited com- 
munication contract will ensure that a write command 
message link between a front end computer 18 and a 
particular host entity will be reliable and specific Thus, for 
example, the front end computer 18a will send a contract 
offer message to the Ethernet address of the operator work- 
station 72 which will contain a new random number (e.g., 32 
bits in length). The operator woristation 72 will respond 
with a contract acceptance message that includes an 
encrypted version of this particular random number. Then, 
the front end con^ter 18a will either decrypt this number 
with the contract algorithm key stored in its memory for this 
puipose or use the same encryption algorithm to compare 
the offer and acceptance immbers. If these numbers match, 
then the front end computer 18a will be process write 
command messages from the opaalor workstation 72 for a 
predetermined period of time. Otherwise, if the numbers do 
not match, dien the front end computer 18a will disable a 
write command authorization bit for the Ethernet address of 
the operator woricstation 72 from its security table SI to 
indicate that write commmand messages from this operator 
woricstation should be ignored 

Ttsi commuincation contract established for write com- 
marxl messages is time limited to enhance the transmission 
security of these particular messages. In the preferred 
embodiment, die communication contract wiD automatically 
expire within twmty seconds after bdng iiutiated. Never- 
dieless. in order to ensure diat die ability to send write 
command messages is not interrupted, the contract offer 
messages should be sent from the front end computer 18 to 
each of the appropriate host entities on the network 20 on a 
periodic basis which will provide this continuity. For 
example, with a communication contract of tweo^ seconds, 
it is preferred that the contract offers be txansmitted at a rate 
of approximately every ten seconds. In other words, every 
ten seconds, each of die host entities that are cabable of 
transmitting recognizable write command messages will 
receive a new random number from each of die fitmt end 
computers 18. 

In the event diat a host entity fails to respond to a contract 
offer message from a front end computer 18, the front end 
computer will preferably make three tries to establish or 
maintain a time limited communication contract If no 
response is received from these three tries, then the the front 
end computer 18 will disable the write command authori- 
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zation bit for the Ethernet address of this host entity from its generated by the process control computer 12, namely the 

security table. In such an event, the affected host entity will "WiSl" and "EXS2" signals. One or both of these extra 

not be able to have its write command messages processed strobe signals may be used by the process control computer 

by the &ont end con?)uter 18 until the security server 68 12 to indicate that certain data stored in the dual-ported data 

transmits a new security table to the front end computer 18. 5 memoiy 22 is stable, such as data used to display gr^jhical 

It should be appreciated from the above that only the information, 

xandom numbers need to be encrypted to facilitate a transfer Hie stealth interface circuit 16 also receives four contiol 

of die security table or to establish the time limited com- signals from the process control computer 12 which are used 

munication contract for write command messages. However, to access the dual-poited data memoiy 22. These signals aie 

itshouldbeundersioodthat the security taWe itself or the lo "/EN_DAIAMEM'\ "/EMR^ * WW*' and ^'MEMCUL 

write command messages could be encrypted as well in the first three of these signals idate to whether the process 

appropriate application. Nevertheless, the use of diffiecent control oompater 12 seeks to read or write to the dual-ported 

Ethernet protocols for security messages and write com- data memory 22. However, MEMCLK is the memory dodc 

mand messages, the use of different encryption algorithms signal lefeoed to above which effectively divides the time in 

for security table transfers and write command communi- 15 the machine cycle of the process control 12 available for 

cation contracts, the limitation of the time of the write accessing the dual-ported data memory 22, The MEMCLK 

command communication contracts to short durations, and , signal is a fifty percent duty dodc signal, as shown in the 

the use of specific permissive tables for each of the front end tinting dia^am of FIG. 5A. In accordance with the method 

computers 18, all combine to provide a very high degree of illustrated in this timing diagram, the dual-ported data 

communication and write command security for the process 20 memory 22 may be accessed from the internal process 

control computers 12a-12^. Additional protection is also control computer port 100 when MEMCLK is Low. Then, 

substantially provided by the guardian circuit in the stealth when MEMCLK undergoes a transition to a High state, the 

interface circuit 16, die embedding of a program version dual-ported data memory 22 may be accessed from the 

identifier in the PL and PR pemussive tables, and the external stealtii port 102. While tiie MEMCLK signal is 

encrpytion of the these program version identifiers by the 25 shown to have a period of 4O0 nano-seconds (i.c., a fre- 

front end computers ISo-lSf? when a verified write com- qucncy Z5 MHz), it should be understood that other suitable 

mand message is transmitted to the process control computer periods and daty cycles may be provided in the appropriate 

12a-125. In this regard, it should be noted that the encryp- applicatioiL 

tion algorithm used by tibc firont end computers ISa-iSb for On die stealth port side of the stealth interface circuit 16, 

the program version identifiers is preferably different than 30 a set of suitable buffers are also provided to handle the 

the encryption algorithm used for security table transfers or transfer of address arKl data information. In this regard, 

the encryption algorithm used to establish the time limited buffer block 110 includes two S-bit buffer circuits U1-U2, 

commurucation contracts for write command messages. A which receive address information from the external stealth 

fiittherdiscussionof diese security and verification feamres port 102. Similariy, buffer block 112 includes two 8-bit 

may be ftnrnd in the deBruijnetal. U.S. Pat No. 5,428,745, 35 buffer circuits U4--U5, which are capable of transmitting and 

filed on even ^atf> herewith, and entitled "Secure Front End receiving data information between the dual-ported data 

Communication System and Method**. This patent is hereby memory 22 and the stealth port 102. 

incorporated by reference. Additionally, the stealtii interface circuit 16 includes a 

Himing to FIO. 3, a block diagram of the stealtii interface arbitration circuit 114 which receives bus request signals 

circuit 16 is shown. Reference will also be made to the 40 from external entities on the stealtii port 102. As shown in 

schematic diagram of die stealth int^face circuit 16, which FIG. 4B, the present embodiment provides four individual 

is shown in FICIS.4A-4B.'nie stealtii intet&cecitcdt 16 is channel lines for die incoming bus request signals '*/BRl . 

inteiposed between tiie internal bus stmctme 100 of die ..mR4^Ilm5» the stealtii mteiCBcednaiit 16 enables iq>;to 

process control computer 12 and die exteroally directed four different external entities to be connected to die stealtii 

stealtii pott 102. The stesathinter&cedrcuit 16 is connected 45 port 102. The arbitration circuit 114 is shown in HG. 4B to 

to bus structure lOO via a set of suitable buffers. In this comprise a four iiqmt asynchronous bus arbiter circuit U9 

regard, buffer block 104 includes two 8-bit buffer circuits which will grant bus access to die first bus request signal 

U17-U18, which receive address information from die recdved. In this regard, a q)edfic bus grant signal "/BGl . 

address bus on die process control computer 12. Similariy, . . /BG4" will ultimately be generated to inform tite partica- 

buffer block 106 includes two 8-bit buffer circuits U6-U7, 50 lar external entity who won tiie bus tiiat die channel is clear 

which receive data information from the data bus of the for its use. The arbitration dicuit 114 also has an internal 

process control computer 12. AND gate which will produce the any-bus-rcqucst signal 

The stealth interface circuit 16 also includes a data control "/ANY _BR" shown in tiie timing di a s ram of FIG. 5A. 

block 108, which is also cormected to tiie bus stracturc 100 The stealth inlerfece circuit 16 finther includes a stealtii 

of tiie process control computer 12. As indicated in FIG. 4A, 55 port control circuit 116, which is used to control access to tiie 

tiie data control block 108 is preferably comprised of a dual-ported data memory 22. The control drcuit 116 is 

Programmable Array Logic "PAL" circuit U15 (e.g., shown in FIGS. 4A-4B to comprise a PAL drcuit U16, a 

EP512), which is used to d^ect the SDSS and DSS signals timo- circuit UIO and a set of tri-state buffers which are 

from the process control computer 12. As well known in the contained in chip U8. In the case of memory access for tiie 

art, a PAL circuit has fiisable links which may be pro- 60 internal process control computer bus 100, the PAL circuit 

grammed so ttiat a plurality of internal AND gates and OR U16 will transmit the chip select signal "/CS" to the buffers 

gates will be configured to performed a desired logic fimc- 104 and 106 to latdi or capnire address and data information 

tion. While a PAL drcuit provides a relatively low cost way from the internal bus. The PAL drcuit U16 will also send die 

of iniplimentirig logic functions, it should be imderstood that enable memory read signal "AB^JEMR" to the buffer 106 

other suitable drcuit devices may be used for this applica- 65 when the process control computer 12 needs to latch or 

tion. It should also be noted tiiat tiie PAL circuit is pro- capture data from the data bus 118 of the stealth interface 

grammed to detect two extra strobe signals that may be drcuit 16. In this regard, die PAL drcuit U16 is responsive 
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to both the MEMCLK signal and the central process unit 
clock signal "CP" of the process conirol compuier tZ. 

In the case of memory access from the external stealth 
port 102, the PAL circuit U16 will transmit the enable signal 
"/SP_EN" to the buffers HO and 112 to latch or capture 
address and data information from the external bus. The PAL 
cirxniit U16 will also send the enable memory read signal 
"SW/R" to the buffer 112 when an external entity is per- 
mitted to latch or capture data fiom the data bus 118 of the 
stealth inter£Etce circuit 16. The SW/R signal is received at 
the stealth poet bus 102, and it provides an indication from 
the external endty the direction of data fow desired In this 
particular embodiment, the SR/W signal is active High for a 
read cycle and active Low for a write cycle. The SR/W 
signal is common to all four potential extonal users, and it 
should be held in a tri-state until the external user winning 
the bus receives its active Low /BR signal. 

The PAL U16 also transmits tlie SW/R signal to the check 
point guardian circuit 120 (PAL dicuit U13) to initiate an 
evaluation to be made on the address of the dual-ported data 20 
memory 22 selected by the external entity for a write 
operation. In this regard, the guardian circuit 120 is pro- 
grammed to inhibit the transition needed in the chip enable 
signal for accessing the dual-ported data memory 

chips U11-U14, whenever the address is outside of the 25 
mailbox section 26. 

Wth respect to the sequence of operation for the stealth 
interface circuit 16, it should be predated that a memory 
read/write cycle finom the stealth port 102 must be initiated 
by the external entity seeking to access the dual-ported data 
memory 22. This cycle is begun with the transmission of a 
bus request signal /BR from the external entity, such as &ont 
end computer ISo. Upon the receipt of any bus request 
signals, the arbitrator circuit 114 will transmit an active X^w 
any-bus-request signal /ANY_BR to the PAL circuit U16, 
The any-bus-request signal is directed to an intemal flip-fiop 
of the PAL circuit U16, which operates under the clock 
signal CP Accordingly, the any-bus-request signal needs to 
be present before the falling edge of the clock signal CP in 
order for stealth port access to occur when MEMCLK goes 
high, as shown in the timing diagram of FIG. 5A. If the 
latched any>bus-request signal is active, the stealth interface 
circuit 16 vtrill begin a stealth port memory cyde. CXherwise, 
the stealth interface circuit 16 will not initiate a stealth port 
memory cycle until the next MEMCLK signal period. 

When a stealth port memory cycle occurs, the /SP__EN 
signal is generated from the PAL drcuit U16. As indicated 
above, this signal will enable the address and data buffers on 
the stealth port The /5P_£h} signal will also enable the 
aibitcation dicuit 114, which issues a specific bus giant 50 
signal /EG for the external user which wins the bus. Once 
the external entity detects its bus grant signal, then it may 
transmit either the memory address it seeks to read or the 
address and data necessary for a write operatioiL The chip 
enable signal /CE is delayed by the PAL dicuit U13 to allow 
for the delay introduced from die address buffer 110, as the 
address needs to be stable before the RAM chips U11-U14 
are actually accessed. 

For a stealth port read cyde, the data placed on die data 
bus 118 will become stable approximately 45 ns after /CE 
becomes active. In this regard, it should be noted that 
symbols such as '*TCE" in the timing diagram of FIG. SB, 
indicate the appropriate delay tune duration. A read latch 
signal RDLATCH directed to the PAL circuit U16 may then 
be used by the external entity to either latch the data into the 
buffer 112 or indicate that data is available. For a stealth port 
write cycle, the address lines on the address bus 122 will be 
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monitored by the guardian circuit 120 to ultimately permit or 
deny write access to the stealth port 102. When write access 
is denied, the guardian circuit will not generate the acdve 
Low chip enable signal /CE, and thereby restrict an external 
entity on the stealth port 10^ firom writing to the particular 
address location in the dual-ported data memory 22 that it 
has selected. In tius event, the guardian dicuit 120 wiU also 
generate a write address valid signal •'WILJVD_VAL", 
which is transmitted to the PAL drcoit U16 of the control 
circuit 116. The PAL circuit U16 will respond by generating 
a write address error signal **WIL_AD_ERR" for transmis- 
sion to the external entity. The write address error signal is 
active High and valid only during the current memory access 
cycle, and this ^gnal is conmson to all external entities. 

For stealth port accesses to valid write addresses, the 
guardian drcuit 120 will activate the /CE signal. Addition- 
ally, the SR/W signal from the external entity should become 
active when the bus grant signal (BG is Low. The PAL U16 
will also cause the write enable' signal 7WE ifbr die RAM 
chips U11-U14 of the dual-ported data metnoiy 22 to 
become active, and the rising edge of the /WE signal is used 
to write data into diese RAM chips. 

The control dicuit 116 also includes a timer circuit UIO, 
which will generate a CLEAR signal appioximatdy 150 ns 
after one of the bus grant signals /BG becomes active. The 
CLE/\R signal is used to cause the tri-state buffers in buffier 
chip U8 to generate individual bus grant clear signals 
"BG1_CLR . . . BG4_CLR" to each external user. The 
CLEAR signal is also used to clear the stealth port memory 
cycle by deactivating the stealth port enable signal /SP_EN, 

The present invention has been described in an illustrative 
manner. In this regard, it is evident that those skilled in the 
art once given the benefit of the foregoing disdosure, may 
now make modifications to the spedfic embodiments 
described herein without d^jarting from the spirit of the 
present invention. Such modifications are to be considered 
within the scope of the present invention which is limited 
solely by the scope and spirit of the d:ppcadcd claims. 

What is daimed is: 

1. A method of providing transparent data transfers 
b^e^ an activdy redundant process control computer and 
at least one front end computer which is enable of com- 
municating with a c<xnpater netwoik, oonqirising the steps 
of: 

providing a multi-ported memory having at least one 
internal poit for communicating with said process 
control conqjuter and at least one external port for 
communicating with said front end computer; 

providing a variable section in said multi-ported memory 
for periodically storing data collected by said process 
control computer in said variable section of said multi- 
ported memory; 

providing a mailbox section in said multi-ported memoiy 
for storing messages sent from said front end computer 
to said process contrd computer; and 

aiabling said multi-ported memocy to be addressed from 
said eactenial port only during apredeteimined poition 
of an operative dodc cyde for said process control 
computer, so that dther at least one data word stored in 
said variable section of said multi-ported memoiy may 
be transferred to a memoiy associated with said front 
end computer or at least one message word may be 
transferred from said front end computer to said mail- 
box section of said multi-ported memoiy without any 
interference with the operaticm of said process control 
computer. 

2. The method according to claim 1, further including the 
step of preventing at said process control computer the 
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ability to write to predetermined locations in said multi- 
ported memory from said external port 

3. The method according to claim 2, wherein said pre- 
venting step limits the write access capability from said 
external port to only said mailbox section of said muld- s 
ported memory. 

4. The method according to claim 3, wherein the endre 
contents of said nmlti-ported memory may be.read firom said 
external port 

5. The method according to daim 1* wherein at least one 10 
of said messages sent from said front end computer causes 

a change in a value used by the program of said process 
conut)l computer: 

6. The method according to claim 1, frirtbcr including the 
step of selectively enabling additional communication LS 
devices to access said multi*ported memory from said 
external port during said predetermined, portion of said 
operative clock cycle. 

7. A stealth interface for providing transparent data trans- 
fers between an actively redundant process control computer 20 
and at least one front end computer which is capable of 
communicating with a computer network, said interface 
conqmsing: 

a muld-ported data memory having an internal port con- 
nected to a bus structure of said process control com- ^ 
puter and at least one external port for communicating 
with said front end computer; said multi-ported data 
memory having a variable section for periodically 
storing data collected by said process control computer, 
and a mailbox section for storing messages from said ^ 
front end computer to said process control computer; 

external access control means, coupled to a clock signal 
associated with operation of said process control com- 
puter* for enabling at least one word address in said ^ 
multi-ported data memory to be accessed from said 
external port only during a predeteimined portion of a 
cycle for said dock signal; and 

guardian means cormected to said multi-ported data 
memory for limiting write access permitted from said ^ 
external port to predetenmsed address locations in said 
multi-ported memcvy. 



8. The stealth interface according to claim 7, wherein the 
predetermined locations are confined to said mailbox section 
of said multi-ported data memory. 

9. The stealth interface according to claim 7, further 
induding timing means for clearing said external port prior 
to the end of said predetermined portion of the cyde for said 
dock signal. 

10. The stealth interface according to claim 7, wherein 
said external access control means includes error signaling 
means for transmitting a write error signal to said external 
port when said guardian means has d^ed write access to 
said front end computer. 

IL The stealth interface according to claim 7, wherein 
said guardian means is comprised of a programmable array 
logic circuit which is cormected to the bus structure of said 
multi-port data memory. 

12. A stealth internee fot providing transparent data 
. transfers between an activdy redundant process control . 
computer and at least one front end computer. which Is 
capable of communicating with a computer netwodc, said 
interface comprising: 

a multi-ported data memory having: 
at least one internal port for communicating with said 

process control computer, 
at least one external port for conununicating vwth said 

front end computer, 
a variable section for periodically storing data collected 

by said process control computer, and 
a mailbox section for storing messages from said front 
end counter to said process control computer; and 
access control "K»5mtt for enabling said multi-ported 
memory to be addressed from said external port only 
duriiig a predetermined portion of an operative dodc 
cyde for said process control computer, so that either 
atleast one data word stored in memory in said variable 
secdon of said muld-ported memory may be transferred 
to a memory associated with said front end computer or 
at least one message word may be transferred from said 
front end computer to said mailbox section of said 
multi-ported memory without any interference with the 
operation of said process control computet. 
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